Lithuania’s Centre of Registers (Registrų centras) disclosed a major data breach on 25 May 2026, with roughly 600,000 records from the Real Estate Register and the Register of Legal Entities accessed through the misuse of credentials belonging to authorised query institutions. The credentials were used from abroad, according to Lithuania’s General Prosecutor’s Office. Director Adrijus Jusas resigned the same day. A pre-trial investigation has been opened by the Criminal Police Bureau, and records relating to intelligence officers are reported to be among the affected data.
Updated 25 May 2026. Numbers in the charts below are live Alerts.bar credential-supply data, queried the day of the disclosure.
Key takeaways
- Scale. About 600,000 records accessed from two of Lithuania’s foundational state registers.
- Mechanism. Not a perimeter breach. Attackers reused valid credentials of third-party institutions that are authorised to query the registers.
- Direct exposure. Alerts.bar’s stealer-log index shows 117 accounts tied to the breached agency’s own domain, including 3 live infected staff endpoints.
- Ecosystem exposure. Across 18 sampled Lithuanian institutional domains, 60 live infected staff endpoints and 60,700 stolen session cookies are circulating in stealer-log marketplaces.
- Attribution. No group named. Queries originated from abroad; Lithuania’s Criminal Police Bureau is leading the pre-trial investigation.
- What MFA does not stop. Stolen browser session cookies replay an authenticated session without triggering an MFA challenge.

What happened at Registrų centras?
Registrų centras is the state-owned operator of Lithuania’s foundational registries, including the Real Estate Register and the Register of Legal Entities. On 25 May 2026, the agency confirmed that an unauthorised party accessed roughly 600,000 records by abusing the credentials of institutions legitimately permitted to query the registers. The agency said the queries originated from outside Lithuania. Director Adrijus Jusas resigned within hours of the disclosure, and the General Prosecutor’s Office opened a pre-trial investigation handled by the Criminal Police Bureau.
Lithuanian media reporting (LRT, Delfi) indicates that personal data linked to intelligence and security officers is among the affected records, which is the detail that escalated the incident from an administrative failure into a national-security matter. As of publication, the agency has not named the third-party institutions whose credentials were misused, and no group has publicly claimed responsibility.
How were the credentials obtained?
Lithuanian authorities have not published a technical post-mortem, but two routes account for almost all credential-reuse attacks against European public-sector portals: stealer-log credential reuse and initial access broker (IAB) sales. Both routes have been the dominant non-phishing entry vector across Europe through 2025 and 2026. The attacker does not need to breach the central system. They obtain valid credentials issued to a trusted third-party institution and replay them against the portal.

How big is the underlying credential supply chain?
Across 18 Lithuanian institutional domains we sampled in Alerts.bar’s stealer-log corpus, more than 42,900 raw user credentials and 60,700 stolen browser session cookies are sitting in the marketplaces that Lithuanian attackers and their resellers draw from. The categorisation below groups domains by sector, since the point is the systemic exposure of the ecosystem and not any individual organisation.

Banking dominates the credential supply because retail-banking users far outnumber agency-portal users. The cookie count is what matters for portal access: a fresh session cookie replays the existing login without re-prompting the user for credentials or a multi-factor challenge.
How big is the staff-credential exposure?
The single most important number in this incident is not the 600,000 affected register records, it is the number of infected staff endpoints across the ecosystem. Stealer logs distinguish between user accounts (citizens logging into a service) and staff accounts (employees of the institution itself, identifiable by corporate email). Staff endpoints carry the privileged sessions that can issue large-volume register queries; user endpoints generally cannot.

Three live infected staff endpoints at the breached agency itself is a small number, but it is not zero, and it is enough. Once an attacker has working cookies or a credential for any one of those endpoints, the path to query the registers through legitimate channels is open until the cookie expires or the session is invalidated. The wider ecosystem of 60 live infected staff endpoints across the sampled domains means a buyer in the credential market has multiple authorised institutions to choose from at any given moment.
Why cookies, not passwords, are the real story
Modern infostealers exfiltrate browser session cookies alongside saved passwords. A live session cookie can be replayed against the target portal without re-authenticating, which means multi-factor authentication does not stop the access. We covered this in detail in our piece on session cookie theft as the dominant MFA bypass of 2026. The 1,326 cookies tied directly to the breached agency’s own domain are the active blast radius; the 60,700 cookies across the wider sampled ecosystem represent the supply of authorised-session impersonations an external buyer could draw from.
Who would target a state registry?
State registries are high-value targets for three distinct buyer categories. Financially motivated criminals use registry data to build convincing impersonation packages for loan fraud, real estate fraud, and tax fraud. Identity-theft brokers package register entries into bulk identity files sold on Russian-language forums. And foreign intelligence services use register data to map ownership of strategic assets, identify cover identities, and build dossiers on individual officials.
The Lithuanian prosecutor’s statement that records relating to intelligence and security personnel were touched in this incident sits squarely in the third category. Ransomnews is not in a position to attribute the operation, and Lithuanian authorities have not named a perpetrator publicly. We note only what investigators have said: the queries came from abroad, and the misuse exploited valid third-party credentials rather than a vulnerability in Registrų centras’ own systems.
How does the IAB market fit in?
Initial access brokers have professionalised the resale of stealer-log credentials. A broker harvests stealer logs at scale, indexes them by target domain, and sells access bundles to other criminals or state-aligned operators. Listings for Baltic banks, Lithuanian government portals, and Nordic financial systems appear regularly on the major Russian-language access markets. The price point for credentials to a state-registry portal sits in the low four figures in USD when working session cookies are included, and considerably lower when only passwords are on offer.
That economics matters because it makes this kind of attack cheap to attempt repeatedly. A buyer does not need to develop a zero-day or run a phishing campaign. They buy the cookie, replay the session, and conduct queries through the legitimate portal until the authorised institution notices the anomaly or the cookie expires.
What should affected parties do?
If you are an institution that holds Registrų centras query credentials, the immediate steps are concrete and cheap. Rotate all service-account passwords and force re-authentication on every administrative session. Pull endpoint detection logs for the last 90 days and search for known infostealer family indicators (Lumma, StealC, Vidar, Redline, Raccoon). Invalidate any active sessions to the portal and require fresh logins with hardware-bound second factors where available. Audit which devices, including personal ones, have stored credentials for state-system access.
If you are a Lithuanian citizen whose register entry may have been touched, the realistic exposure is identity-theft and targeted phishing. Treat unsolicited messages claiming to come from notaries, banks, or government agencies with elevated skepticism for the next 12 months. Monitor your credit and any registered businesses for unauthorised changes.
Organisations that want to check their own stealer-log exposure can run their domain through our free stealer-log checker, which queries the Alerts.bar index. Endpoint protection that catches infostealers before they exfiltrate is covered in our business ransomware protection picks. Specialist dark-web monitoring services subscribe to continuous feeds of newly harvested logs and alert when your domain appears.
What this means for public-sector defenders
The Registrų centras incident is a clean example of a pattern that is now routine across European public-sector infrastructure. The attacker does not breach the central system; they breach a partner. The central system trusts the partner’s credentials by design, so the abuse looks like normal traffic until anomaly detection or a third-party tip flags it. Defending against this requires two changes that most agencies have not yet made: continuous credential-leak monitoring at the partner level, and behavioural anomaly detection on the central portal that compares query patterns against the partner’s historical baseline.
For the next 30 days, expect copy-cat attempts against other Baltic and Nordic state registers. The Lithuanian incident gives criminal and state-aligned actors a tested playbook, and the underlying market for stealer-log credentials does not run out.
Frequently asked questions
How many records were exposed in the Registrų centras breach?
Approximately 600,000 records from the Real Estate Register and the Register of Legal Entities, according to public statements from Lithuanian authorities on 25 May 2026.
Who is responsible for the Registrų centras data leak?
No group has been named publicly. The General Prosecutor’s Office said queries were made from abroad using the credentials of authorised institutions, and the Criminal Police Bureau is leading the pre-trial investigation. No formal attribution has been issued.
Was Registrų centras itself hacked?
Not in the conventional sense. The agency’s own perimeter does not appear to have been breached. The attacker used the valid credentials of third-party institutions that are authorised to query the registers, then ran queries that the central system saw as legitimate.
Were intelligence officers’ personal data affected?
Lithuanian media reports indicate that a subset of the accessed records relates to intelligence and security personnel. This is the detail that elevated the incident from an administrative failure to a national-security matter.
Why did the director resign?
Adrijus Jusas resigned on the day of disclosure. The agency did not publish a detailed rationale, but resignation on the day of a high-impact public disclosure usually reflects either accountability or political pressure. Either way, leadership transition is now under way at the Centre.
How can institutions check if their credentials are circulating in stealer logs?
Run your domain through a stealer-log lookup service such as the free Ransomnews stealer-log checker or the underlying Alerts.bar dataset. Specialist dark-web monitoring services subscribe to continuous feeds of newly harvested logs and alert when your domain appears.
Does multi-factor authentication protect against this kind of attack?
Not on its own. Infostealers exfiltrate browser session cookies, which let an attacker replay an authenticated session without re-entering credentials and without triggering an MFA challenge. Hardware-bound second factors (FIDO2 / WebAuthn) and short session lifetimes are the practical defences.
Related Ransomnews coverage
- Stealercheck, free domain-level exposure check against the stealer-log economy.
- Ransomtracker, live index of active ransomware operations and their published victims.
- Initial access brokers 2026, the upstream market for credentials operators reuse.
- Session cookie theft and MFA bypass 2026, why cookies, not passwords, are the practical risk.
- Best ransomware protection for business 2026, endpoint and platform-level defences ranked.
- Best dark-web monitoring services, continuous alerts when your credentials surface.
Keywords: Registrų centras breach, Registru centras data leak 2026, Lithuania state register hack, Real Estate Register breach Lithuania, Register of Legal Entities leak, authorised institution credential abuse, stealer log credential reuse Baltic, initial access broker Lithuania, session cookie MFA bypass 2026, Lithuanian public sector stealer log exposure, Alerts.bar stealer log index, national security records breach, Adrijus Jusas resignation.
This report draws on official Lithuanian statements, public reporting, and primary stealer-log data from Alerts.bar. Numbers in the charts above are aggregate counts across 18 sampled Lithuanian institutional domains, grouped by sector. Individual organisations are not named in keeping with our editorial policy on credential-exposure reporting. Ransomnews will update the article as additional confirmed facts emerge.
